fix: use llvm-objdump-20 for Mach-O re-signing in version injection#21953
Merged
ludamad merged 1 commit intoMar 24, 2026
Merged
Conversation
johnathan79717
approved these changes
Mar 24, 2026
ludamad
force-pushed
the
fix/macos-codesign-llvm-objdump
branch
from
f342953 to
e0238d1
Compare
The inject_version function modifies binaries to embed a version string, invalidating any existing code signature. On Linux CI, re-signing of cross-compiled macOS binaries was skipped because the Mach-O detection used llvm-objdump (unversioned) which doesn't exist — only llvm-objdump-20 does. This left macOS binaries with an invalidated linker-signed signature, causing macOS to kill them on launch (SIGKILL/exit 137). Fix: detect Mach-O via magic bytes (CFFAEDFE/CEFAEDFE) instead of llvm-objdump, which also incorrectly returns 0 for ELF binaries.
ludamad
force-pushed
the
fix/macos-codesign-llvm-objdump
branch
from
e0238d1 to
d4e74bb
Compare
This was referenced Mar 24, 2026
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Mar 30, 2026
…from amd64 (#22120) ## Summary The nightly Docker image build has been failing since March 25 because the ARM64 release instance tries to run `ldid` (an x86_64 Linux binary) to re-sign cross-compiled Mach-O binaries after version injection. This was exposed by PR #21953 which fixed `llvm-objdump` → `llvm-objdump-20`, making Mach-O detection actually work — before that, the detection silently failed so `ldid` was never called. ## Fix Gate the `ldid` call behind `$(arch) == amd64` in `inject_version`. The ARM64 instance doesn't need to sign Mach-O binaries because all macOS release artifacts are published exclusively from the amd64 instance: - **GitHub releases** (tarballs): packaged by `build_release_dir`, runs on amd64 only - **bb.js npm packages**: `copy_cross.sh` already guards ldid with `[[ "$(arch)" == "amd64" ]]` - **Docker images**: Linux binaries only, no Mach-O signing needed The ARM64 instance builds cross targets (macOS, Windows, iOS, Android) to populate the shared build cache, but never publishes them. ## Impact Unblocks the nightly release pipeline → unblocks Deploy Next Net (failing 6 days). ## Changed file `barretenberg/cpp/bootstrap.sh` — one-line change in `inject_version`"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
inject_versioninbootstrap.shusedllvm-objdump(unversioned) to detect Mach-O binaries for re-signing, but the CI environment only hasllvm-objdump-20&>/dev/null), skippingldid -Sre-signing after version injection, leaving binaries with an invalidated linker-signed code signaturellvm-objdump→llvm-objdump-20